Have you noticed how popular sites like Facebook and Google are now giving you the ability to add two-factor authentication to improve security?
Well, now you can add two-factor authentication to your WordPress site. This ensures maximum security for your WordPress site and all registered users.
In this article, we will show you how to add two-factor authentication for WordPress using both Google Authenticator as well as SMS text message.
Why Add Two-Factor Authentication for WordPress Login?
One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess the right username and password to break into a WordPress site.
If they steal your password or accurately guess it, then they can infect your website with malware.
One of the easiest ways to protect your WordPress website against stolen passwords is to add two-factor authentication. This way even if someone stole your password, then they will need to enter a security code from your phone to gain access.
There are multiple ways to set up 2-step login in WordPress. However, the most secure and easier method is by using an authenticator app. Simply click the links below to jump to the method you prefer:
- Method 1. Adding Two Factor Authentication in WordPress (Easier Method)
- Method 2. Adding Two Factor Authentication using Two Factor
Let’s take a look at how to easily add two-factor verification to your WordPress login screen for free.
Method 1. Adding Two Factor Authentication in WordPress
This method is easier and recommended for all users. It is flexible and allows you to enforce two-factor authentication for all users.
First, you need to install and activate the WP 2FA – Two-factor Authentication plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to visit the Users » Your Profile page and scroll down to the ‘WP 2FA Settings’ section.
From here, you need to click on the ‘Configure Two-factor authentication (2FA)’ button to launch the setup wizard.
The plugin will now ask you to choose an authentication method. It comes with two options:
- One-time code generated with your app of choice (Recommended)
- One-time code sent to you over email
We recommend that you choose the authentication via app method, as it is more secure and reliable. Then click on the Next button to continue.
The plugin will now show you a QR code which you need to scan using an authenticator app.
What is an Authenticator App?
An authenticator app is a smartphone app that generates a temporary one-time password for the accounts that you save in it.
Basically, the app and your server use a secret key to encrypt information and generate one-time codes that you can use as the second layer of protection.
There are many such apps available for free.
The most popular one is Google Authenticator, however, it is not the best one. While it works great, it does not provide a backup that you can use in case your phone is lost.
We recommend using Authy, since it is an easy-to-use and free app that also allows you to save your accounts on the cloud in an encrypted format. This way if you lose your phone, then you can simply enter your master password to restore all your accounts.
Other password managers like LastPass, 1password, etc all come with their own version of authenticator which are all better than the Google Authenticator since they allow you restore keys.
For the sake of this tutorial, we’ll be using Authy. You can follow our tutorial using a different app if you want, since they all work the same way.
First, click on the Add account button in your authenticator app:
The app will then ask permission to access the camera on your phone. You need to allow this permission so that you can scan the QR code shown on the plugin’s settings page.
The authenticator app will now save your website account, and it will start showing a one-time password that you can use to log in.
On the plugin’s setup wizard, click on the “I’m Ready” button to continue.
The plugin will now ask you to verify your one-time password. Simply click on your account in the authenticator app, and it will show you a six-digit one-time password that you can enter.
After that, the plugin will give you an option to generate and save the backup codes. These codes can be used in case you don’t have access to your phone. You can print these backup codes and put them somewhere safe.
After that, you can exit the setup wizard.
Setting WP 2-FA Two Factor Login for All WordPress Users
If you run a multi-user WordPress website such as a membership site, then the plugin also allows you to enable or enforce two-factor authentication for all users on your site.
Simply head over to Settings » Two-factor Authentication page to configure the plugin settings.
The plugin allows you to enable two-factor login for all users, make it compulsory for all users, and give users enough time to set it up.
If your WordPress website uses a custom login form page, then you can also create a custom page where users can manage their two-factor authenticator settings without accessing the WordPress admin area.
Don’t forget to click on the Save Changes button to store your new settings.
Here is how your default WordPress login screen will ask for the two-factor authentication code after users enter their regular WordPress password.
Method 2. Adding Two Factor Authentication using Two Factor
This method is a little less flexible as it does not allow you to enforce two factor login for all users. Each user will have to set it up on their own and can disable it from their profile.
First, you need to install and activate the Two Factor plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to visit the Users » Profile page and scroll down to the Two-Factor Options section.
From here, you need to choose a two-factor login option. The plugin allows you to use email, authenticator app, and FIDO U2F Security Keys methods.
We recommend using the authenticator app method. Simply download an authenticator app like Google Authenticator, Authy, or LastPass Authenticator and scan the QR code shown on the screen.
Once you have scanned the QR code, the app will show you a verification code that you need to enter into the plugin options and click on the Submit button.
The plugin will now set the secret key. You can reset this key at any time from the settings page to rescan the QR code.
Don’t forget to click on the Update Profile button to save your settings.
Now each time you login to your WordPress website, you will be asked to enter the authentication code generated by the app on your phone.
Frequently Asked Questions about Two Factor Authentication (2FA) in WordPress
Following are answers to some of the commonly asked questions about using two-step login in WordPress.
1. How do I log in if I don’t have access to my phone?
If you are using an authenticator app with a cloud backup option like Authy, then you can install the app on your laptop as well.
This gives you access to the authentication codes even when you don’t have your phone with you. It also allows you to easily restore your secret keys when you buy a new phone.
Both methods mentioned above also allow you to generate backup codes. These codes can also be used as one-time passcodes when you don’t have access to your phone.
2. How to log in without any codes?
If you don’t have access to your phone, laptop, or backup codes, then you can only log in by disabling the plugin.
See our guide on how to deactivate all WordPress plugins when not able to access the admin area.
Once you deactivate all plugins, it will also disable the two-factor authentication plugin and you’ll be able to login to your WordPress website. Once logged in, you can reactivate plugins and reset the two-factor authentication setup.
3. Do I still need to password protect the WordPress admin folder?
Website security works best when you have multiple layers of security to protect your website, starting with the basics like using HTTPS and secure WordPress hosting. The 2-factor verification makes your WordPress login secure, but you can make it even more secure by password protecting the WordPress admin area.
This comes in handy if you have a WordPress membership website, an online store, or an online course website. Your users will be able to login securely, but they will not be able to access the WordPress admin area.
We hope this article helped you add 2-factor verification for WordPress login. You may also want to see our list of the best virtual business phone number apps, or our guide on how to get a free SSL certificate for your WordPress site.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
What if you migrate your website to a different domain- will your 2FA be linked to the old domain? Would you have to deactivate it before migrating your website to the new host and domain?
How to remove two factor authentication that I get every time I login. I want to simply get rid of this thing.
Thanks in advance!
It would depend on which method you used to set it up, if you used the plugin then you would remove the plugin to remove the two factor authentication. Should you be unable to remove it, if you reach out to your hosting provider they should be able to assist.
Hey please update this post. This plugin is too old and not tested on three major updates of WordPress.
Thank you for letting us know about the plugin not being updated we’ll be sure to take a look at it. The Two Factor SMS plugin is the only one not updated, the first plugin has been updated
Found this to be really helpful related to Two Factor, but FYI – the Two Factor SMS plugin hasn’t been updated in several WP versions.
Thank you for letting us know, we’ll be sure to take a look into this for other plugin options
You can simply do it via wordpress.com.
I’ve followed your exact instructions just now to set up 2FA with Twilio. I logged out after finishing the set-up as per the article, and now I can’t get back into my site! I get the code from Twilio, but it says there’s an error! Unfortunately, I’d not yet set up the 2FA with the authenticator app, as I followed the steps in the article, which was to log out first to see it working. Can you advise please? I’ve checked your article https://www.wpbeginner.com/wp-tutorials/locked-out-of-wordpress-admin/, but this doesn’t seem to cover getting locked out due to 2FA error. I use your site loads, and think your guidance is great! Please help on this one!!
Hi Anna,
You can manually delete the plugin using FTP. Connect to your website and go to /wp-content/plugins/ folder and then delete two-factor and two-factor-sms folders. You can always reinstall the plugins after login.
FreeOTP is an Open Source alternative to Google Authenticator. It is not controlled by Google and is maintained by Red Hat under the Apache 2.0 license. It is available for iOS and Android. It also works on Google sites.